Ian,
Ian G wrote:
On 26/1/09 19:43, Jean-Marc Desperrier wrote:
About Apache, it seems the potential problem is more with OpenSSL, it
will not enable SHA-2 by default if you only enable the default
algorithms for SSL.
But I think most people choose instead to initialize all the algorithms
OpenSSL knows about, and apparently so does mod_ssl.
Then, I wonder what is going on? We'll see I guess.
Although, I think there are two separate questions here, being SHA in
TLS and SHA in certs.
Firefox knows about SHA-2 since Firefox 2.
Yep, saw that.
iang
NSS understands the SHA-2 algorithms in certificate signatures, and has
for a very long time.
However, the SSL3 and TLS protocols, up to TLS version 1.1, also use
hashing algorithms themselves. There are several ways in which they do so :
1) Both the SSL3 and TLS 1.0 and 1.1 PRF (Pseudo Random Function) are
hard-coded algorithms that make use of a combination of MD5 and SHA-1
hash functions. So, if you absolutely want to get rid of both MD5 and
SHA-1, then you also must stop using all currently deployed versions of
SSL and TLS. Not very practical. However, this is not as urgent as one
might think, since the PRF algorithm uses HMAC MD5 and HMAC SHA-1, and
keyed MAC (HMAC) that hasn't been shown to be broken. Even if HMAC MD5
was broken, HMAC SHA-1 would still need to be broken as well, and it is
not very likely that any collisions found would be the same between the
two hashing algorithms. So, the threat against the SSL/TLS PRF is much
more theoretical at this point, but nevertheless one that must be
addressed long term.
2) Each cipher suite also uses a particular hashing algorithm for data
integrity (MAC). For example, a common one may be "SSL3 RSA WITH RC4 128
MD5", or "SSL3 RSA WITH RC4 128 SHA" . Right now, you could disable the
use of all MD5 cipher suites if you wanted, if your client allowed.
Unfortunately, it seems the UI to do so is missing from Seamonkey 1.1
:-( . It used to be possible to select individual cipher suites in the
old Communicator days, and even Mozilla 1.x . But I don't see that UI
now :-( Also, even more unfortunately, all cipher suites defined for SSL
3.0 and TLS 1.0 or 1.1 use exclusively MD5 or SHA-1, to the exclusion of
any other hash algorithm. So you can't use SHA-2 in the protocol. But
you can use SHA-1 over MD5 . Doing so may however render your client
unable to communicate with some servers that are configured to use only
the MD5 SSL/TLS cipher suites - which are known to be faster than the
SHA-1 suites.
The IETF's long-term solution to these problems is to move to TLS 1.2,
which allows the PRF function to be configurable and use only a single
hash algorithm, which is parameterized and the same as that in the
cipher suite. You can see the changes in RFC 5246 . All the new cipher
suites in TLS 1.2 use SHA-256 for the hash algorithm, and both MD5 and
SHA-1 have been dropped.
Currently, NSS doesn't support TLS 1.2 yet. This has been on our radar
for a while, but it's impossible to say when we will get to it. I'm not
really surprised that there isn't much software out there that doesn't
either. All SSL/TLS libraries will need to be upgraded, all applications
will need to be changed to use them, and finally all end-user, client
and servers, will have to switch overs. No doubt this will be a
difficult transition, much more so than for people to upgrade their
client and server certificates to use SHA-2 algorithms.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
